1

I have a php application that pulls in pages from a separate domain via iframes. These pages are using cookies.

I've noticed some browsers have a default set that blocks any external cookies. This is going to cause quite a problem for me.

I've heard mention of P3P but can't find much mention about how to implement it with cookies.

Any help most appreciated,

Jonesy

iamjonesy
  • 24,732
  • 40
  • 139
  • 206
  • P3P is just an informational description format, on what webservices store about you. It has no technical influence over cookie and security behaviour whatsoever; some browsers provide warnings at best. – mario Dec 22 '10 at 20:14
  • I don't know much about P3P but I added a P3P header after setting the session and all browsers are now accepting my cookies – iamjonesy Dec 23 '10 at 17:03

2 Answers2

3

It would be extremely bad if you could access an external site's cookies just by embedding it in an iframe. Just imagine if you were able to access facebook.com's session cookie just by embedding it.

Maerlyn
  • 33,687
  • 18
  • 94
  • 85
  • +1 If you could do that, it would make firesheep attacks seem very tame in comparison. – Byron Whitlock Dec 22 '10 at 20:31
  • but i can access facebooks session cookie if I go directly to face though? – iamjonesy Dec 22 '10 at 20:50
  • I'm not sure what you mean. If the browser goes to facebook.com, it sends all cookies belonging to that domain as part of the request. Same as every other site. What I'm saying is that under no circumstances should you be able to access domain1's cookies from domain2's JS code. Without a browser bug, that is. – Maerlyn Dec 22 '10 at 20:55
1

Just to clarify what Maerlyn is saying - what you're describing is impossible. The website can only access cookies from its own domain. When you go to facebook.com, your facebook cookies are sent to that domain. When you go to google, your facebook cookies are NOT sent there. There is no way for Google to look at your Facebook cookies. Even it uses iframes. Period. This is a security feature.

So, I suggest you look at other ways to design your software system. For example, if the website you're embedding has an API, I'd use that. Or do a back-end service synchronization to pull in user information. In any case, you need the consent of the other service / other domain to do this.

Alex Weinstein
  • 9,823
  • 9
  • 42
  • 59